A team of “security researchers” has announced they managed to issue false SSL certificates by using a md5 vulnerability. This was announced publicly at a hackers’ conference today in Berlin, with full details disclosed here

They were able to do so with a known vulnerability for md5 hash functions, and used an array of 200 PS3s to create a false SSL certificate. The PlayStation 3 was used because of its Cell micro-processor and vector calculations abilities, making it ideal for brute force attacks like this.

This means the SSL protection advertised by banks or ecommerce websites are now rendered compromised.

If you purchased an SSL certificate from RapidSSL or FreeSSL (one of the “cracked” SSL providers), you must take steps to verify the integrity of your servers, even if it’s highly unlikely that a hacker will find the resources to gather 200 PS3s overnight to get advantage of this vulnerability. Look for instance for a provider which uses SHA-1 message authentication, instead of md5

Comments

greg maclellan
December 31st, 2008 1:18 am

Actually, there is no possible compromise for individual site owners. It doesn’t matter where you purchased a certificate from.

What they did was create a “rogue” root certificate authority (CA). There are a handful of CAs that are trusted by all the main browsers, and any certificates that those CAs sign are also trusted (this is what you pay RapidSSL, Verisign etc for). Normally anyone can create their own CA, but because it is not trusted by any browsers, the certificates it signs are also not trusted, and you get warnings.

The researchers created their own CA, and their own normal website certificate. They then paid to get the website certificate signed (just like you would normally when you get a certificate for your website). The difference here is that they found a way to exploit a vulnerability in md5, allowing them to effectively take the signature the CA created for their website certificate, and use it for their CA. Now they have a CA certificate that looks like it was signed by the trusted RapidSSL CA, which means that their CA is also trusted – and any certificates their CA signs are ALSO trusted.

They can effectively issue a certificate for any website they please, and an end-user would not be able to tell that anything is wrong unless they were REALLY savvy and inspected the certificate chain, and noticed it was not signed by the normal CA. Most people, even the most hardcore network techs, would not recognize this.

The only thing you can do as a site owner is to pressure your CA to stop using md5 as their certificate algorithm. As an end user, you can pressure your browser vendor to remove any trusted root CAs that use md5.

Other than that, so long as there are trusted root CAs using md5, *EVERY* site (no matter what CA vendor you use) is vulnerable to someone creating their own valid certificate for your website. If they can also redirect traffic to their server, they can then do very effective and almost undetectable phishing attacks on your users.

greg, thanks for the details, and yes, it’s much more complex than the quick post I wrote.

concerning individual site owners, phishing attacks are quite possible on end-users, by taking advantage of this vulnerability. As you wrote, it’s very hard for end-users to verify the integrity of the certificate, and so they can be tricked into believing that they are served the correct content.

individual site owners should indeed put pressure on the certificate provider that they stop using md5. If the provider can’t guarantee the integrity of the certificate, they should then consider switch providers (switch away from rapidssl especially)

I also think browser vendors (Mozilla, Apple, Microsoft, Opera) and ecommerce/banking websites should overhaul the security scheme used for their systems. There’s a weak link with certificate providers (the CAs you mention), and just the thought of doing online banking or purchases uneases me.

verdon vaillancourt
January 1st, 2009 10:01 am

Good post and comments. Thanks! I switched from rapidssl to trustwave a year or so ago, mostly ’cause rapidssl was such a pain in the @ss. I’ll have to do a little more research on trustwave now to be sure. Thanks again for the heads up :)

verdon, glad that the post was helpful. You made the right move one year ago; this story finally reveals how sloppy rapidssl is.

greg maclellan
January 3rd, 2009 11:48 am

All I wanted to point out was that switching from RapidSSL does not ensure your site will not be attacked in this way – it is just a way of telling RapidSSL that they need to stop using md5 (voting with your wallet, so to speak). So long as RapidSSL or ANY other CA using md5 is trusted, it doesn’t matter if you have a $500 or a $15 SSL certificate – someone would be able to use this attack to spoof your site.